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Abstract. A notion of alternating timed automata is proposed. It is 
shown that such automata with only one clock have decidable emptiness 
problem over finite words. This gives a new class of timed languages 
which is closed under boolean operations and which has an effective pre¬ 
sentation. We prove that the complexity of the emptiness problem for 
alternating timed automata with one clock is non-primitive recursive. 
The proof gives also the same lower bound for the universality prob¬ 
lem for nondeterministic timed automata with one clock. We investigate 
extension of the model with epsilon-transitions and prove that empti¬ 
ness is undecidable. Over infinite words, we show undecidability of the 
universality problem. 


1 Introduction 

Timed automata is a widely studied model of real-time systems. It is obtained 
from finite nondeterministic automata by adding clocks which can be reset and 
whose values can be compared with constants. In this paper we consider alter¬ 
nating version of timed automata obtained by introducing universal transitions 
in the same way as it is done for standard nondeterministic automata. From 
the results of Alur and Dill 0 it follows that such a model cannot have decid¬ 
able emptiness problem as the universality problem for timed automata is not 
decidable. In the recent paper [22 Ouaknine and Worrell has shown that the 
universality problem is decidable for nondeterministic automata with one clock, 
over finite timed words. Inspired by their construction, we show that the empti¬ 
ness problem for alternating timed automata with one clock is decidable as well. 
We also prove not primitive recursive lower bound for the problem. The proof 
implies the same bound for the universality problem for nondeterministic timed 
automata with one clock, thereby answering the question posed by Ouaknine 
and Worrell m To complete the picture we also show that an extension of our 
model with e-transitions has undecidable emptiness problem. Furthermore, we 
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prove undecidability of the universality problem for one-clock nondeterministic 
automata over infinite timed words. 

The crucial property of timed automata models is the decidability of the 
emptiness problem. The drawback of the model is that the class of languages rec¬ 
ognized by timed automata is not closed under complement and the universality 
question is undecidable (TT^-hard) 0. One solution to this problem is to restrict 
to deterministic timed automata. Another, is to restrict the reset operation; this 
gives the event-clock automata model j7|. A different ad-hoc solution could be 
to take the boolean closure of the languages recognized by timed automata. This 
solution does not seem promising due to the complexity of the universality prob¬ 
lem. This consideration leads to the idea of using automata with one clock for 
which the universality problem is decidable. The obtained class of alternating 
timed automata is by definition closed under boolean operations. Moreover, using 
the method of Ouaknine and Worrell, we can show that the class has decidable 
emptiness problem. As it can be expected, there are languages recognizable by 
timed automata that are not recognizable by alternating timed automata with 
one clock. More interestingly, the converse is also true: there are languages recog¬ 
nizable by alternating timed automata with one clock that are not recognizable 
by nondeterministic timed automata with any number of clocks. 

Once the decidability of the emptiness problem for alternating timed au¬ 
tomata with one clock is shown, the next natural question is the complexity of 
the problem. We show a non-primitive recursive lower bound. For this we give a 
reduction of the reachability problem for lossy channel systems EH The reduc¬ 
tion shows that the lower bound holds also for purely universal alternating timed 
automata. This implies non-primitive recursive lower bound for the universality 
problem for nondeterministic timed automata with one clock. We also point out 
that allowing e-transitions in our model permits to code perfect channel systems 
and hence makes the emptiness problem undecidable. 

All this applies to automata over finite timed words. In the case of infinite 
words, we prove undecidability of the universality problem of nondeterministic 
automata with one clock, by the reduction of the halting problem. This immedi¬ 
ately implies undecidability of the emptiness problem for alternating one-clock 
automata. 


Related work Our work is strongly inspired by the results of Ouaknine and 
Worrell j22j- Techniques similar to our decidability proof and to insights of 22 
have been developed eariler in m- 

Except for ESI, it seems that the notion of alternation in the context of timed 
automata was not studied before. The reason was probably undecidability of 
the universality problem. The alternating automata introduced in ESI run over 
infinite timed trees and were used to show decidability of model checking for 
TCTL. Emptiness for these automata is apparently undecidable, even under 
one-clock restriction, in view of our result for one-clock automata over infinite 
words. On the other hand, emptiness for nondeterministic timed tree automata 

is decidable m- 
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Some research (see 



and references within) was devoted to the 


control problem in the timed case. While in this case one also needs to deal with 
some universal branching, these works do not seem to have direct connection to 
our setting. 

Furthermore, let us mention that restrictions to one clock (and two clocks) 
have been already considered in the context of TCTL model-checking of timed 
systems GEEH, leading to a lower complexity in some cases. Finally, in [SJ the 
parametric variant of emptiness problem was shown decidable under restriction 
to one clock (similarly as in our setting) and undecidable for three clocks; the 
two-clock case is left as an open question. 

Similar results to ours were obtained independently by Ouaknine and Wor¬ 
rell 23 an d by Abdulla et al m The former paper defines alternating timed au¬ 
tomata, in a slightly different way than ours, and applies these automata to prove 
decidability of model-checking for Metric Temporal Logic. The non-primitive re¬ 
cursive lower bound is also established. In the latter paper, the undecidability 
result for the universality problem over infinite words is proved. 

Organization of the paper In the next section we define alternating timed au¬ 
tomata; we discuss their basic properties and relations with nondeterministic 
timed automata. In Section 0 we show decidability of the emptiness problem 
for alternating timed automata with one clock. In the following two sections 
we show a non-primitive recursive lower bound for the problem, and then the 
undecidability result for an extension of our model with e-moves. In Section 0 
we investigate automata over infinite words. 

A preliminary version of this article appeared as m- 

2 Alternating Timed Automata 

In this section we introduce the alternating timed automata model and study 
its basic properties. The model is a quite straightforward extension of the non¬ 
deterministic model. Nevertheless some care is needed to have the desirable 
feature that complementation corresponds to exchanging existential and univer¬ 
sal branchings (and final and non-final states). As can be expected, alternat¬ 
ing timed automata can recognize more languages than their nondeterministic 
counterparts. The price to pay for this is that the emptiness problem becomes 
undecidable, in contrast to timed automata j5j- This motivates the restriction 
to automata with one clock. With one clock alternating automata can still rec¬ 
ognize languages not recognizable by nondeterministic automata and moreover, 
as we show in the next section, they have decidable emptiness problem. 

For a given finite set C of clock variables (or clocks in short), consider the set 
<£( C ) of clock constraints a defined by 


x < c | x < c | ctiA<T 2 | —'Cr, 


a 


where c stands for an arbitrary nonnegative integer constant, and x £ C. For 
instance, note that tt (always true), or x = c, can be defined as abbreviations. 
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Each constraint a denotes a subset [cr] of (R+) c , in a natural way, where K + 
stands for the set of nonnegative reals. 

Transition relation of a timed automaton [5] is usually defined by a finite set 
of rules 6 of the form 


SCQx Ex $(C) xQx V(C), 

where Q is a set of locations (control states) and E is an input alphabet. A rule 
(q,a,<r,q' ,r) £ 5 means, roughly, that when in a location q , if the next input 
letter is a and the constraint a is satisfied by the current valuation of clock 
variables, the next location can be q' and the clocks in r should be reset to 0. 
Our definition below uses an easy observation, that the relation 8 can be suitably 
rearranged into a finite partial function 

QxEx $(C) -4 V{Q x V{C)). 

The definition below comes naturally when one thinks of an element of the 
codonrain as a disjunction of a finite number of pairs ( q,r ). Let B + (X) denote 
the set of all positive boolean formulas over the set X of propositions, i.e., the 
set generated by: 

0 ::= X | 0i A <(>2 | 01 V 02- 


Definition 1 (Alternating timed automaton). An alternating timed au¬ 
tomaton is a tuple A = (Q, qo, E, C, F, S) where: Q is a finite set of loca¬ 
tions, E is a finite input alphabet, C is a finite set of clock variables, and 
8 : Q x E x @(C) —> B + (Q x T[C)) is a finite partial function. Moreover qo £ Q is 
an initial state and F C Q is a set of accepting states. We also put an additional 
restriction: 

(Partition) For every q and a, the set {[a] : 8(q, a, a) is defined} gives a (finite) 
partition of (R+) c ■ 

The (Partition) condition does not limit the expressive power of automata. We 
impose it because it permits to give a nice symmetric semantic for the au¬ 
tomata as explained below. We will often write rules of the automaton in a 
form: q,a,a t— > b. 

By a timed word over E we mean a finite sequence 

w = (ai,ti)(a 2 ,t 2 ) ■ ■ • (a n ,t n ) (1) 

of pairs from E x R + . Each L describes the amount of time that passed between 
reading at-\ and cq, i.e., ai was read at time ti, 02 was read at time ti+t 2 j 
and so on. In Sections @1 and 0 it will be more convenient to use an alternative 
representation where L denotes the time elapsed since the beginning of the word. 
In this paper we deal with finite timed words, except Section [G] where we will 
investigate timed w-words. 
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To define an execution of an automaton, we will need two operations on 
valuations v G (R + ) c . A valuation v+f, for t G R + , is obtained from v by 
augmenting value of each clock by t. A valuation v[r := 0 ], for r C C, is obtained 
by reseting values of all clocks in r to zero. 

For an alternating timed automaton A and a timed word w as in 0 , we 
define the acceptance game G^ w between two players Adam and Eve. Intuitively, 
the objective of Eve is to accept w, while the aim of Adam is the opposite. 
A play starts at the initial configuration (<7o,v 0 ), where v 0 : C —> R + is a 
valuation assigning 0 to each clock variable. It consists of n phases. The (fc+l)- 
th phase starts in (%, v*,), ends in some configuration (qk+i, Vfc+i) and proceeds 
as follows. Let v := Vk+tk+i- Let er be the unique constraint such that v satisfies 
er and b = 6(qk,ak+ i, er) is defined. Existence and uniqueness of such a is implied 
by the (Partition) condition. Now the outcome of the phase is determined by 
the formula b. There are three cases: 

— b = b\ A &2: Adam chooses one of subformulas b\ , 62 and the play continues 
with b replaced by the chosen subformula; 

— b = bi V b 2 : dually, Eve chooses one of subformulas; 

— b = (q, r) G Q x V(C): the phase ends with the result (gfc+i,Vfc+i) := 
(<7, v[r := 0 ]). A new phase is starting from this configuration if fc +1 < n. 

The winner is Eve if q n is accepting ( q n G F), otherwise Adam wins. 

Formally, a play is a finite sequence of consecutive game positions of the 
form (fc, g, v) or ( k,q,b ), where k is the phase number, b a boolean formula, q 
a location and v a valuation. A strategy of Eve is a mapping which assigns to 
each such sequence ending in Eve’s position a next move of Eve. A strategy is 
winning if Eve wins whenever she applies this strategy. 

Definition 2 (Acceptance). The automaton A accepts w iff Eve has a win¬ 
ning strategy in the game G^ w . By L(A) we denote the language of all timed 
words w accepted by A. 

To show the power of alternation we give an example of an automaton for a 
language not recognizable by standard (i.e. nondeterministic) timed automata 


(cf. 0 ). 


Example 1. Consider a language consisting of timed words w over a singleton 
alphabet {a} that contain no pair of letters such that one of them is precisely 
one time unit later than the other. The alternating automaton for this language 
has three states qo,qi,q2- State qo is initial. The automaton has a single clock x 
and the following transition rules: 


q 0 ,a,tt ^ (Qo, 0 ) A (<7i,M) 
<71, a, x=l (<J2,0) 


qi,a, xf=-\ 1 ^ (< 7 i, 0 ) 
<72, a, tt 1 * (92, 0) 


States qo and q± are accepting, <72 is not. In state <70, at each input letter, Adam 
chooses either to stay in qo either to to go to <71; In the latter case clock x is 
reset. Furthermore, the automaton can only quit state <71 exactly one time unit 
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after entering it. Hence, Adam has a strategy to reach (72 iff the word is not in 
the language, i.e., some letter is one time unit after some other. 

As one expects, we have the following: 

Proposition 1. The class of languages accepted by alternating timed automata 
is effectively closed under all boolean operations: union, intersection and com¬ 
plementation. These operations do not increase the number of clocks of the au¬ 
tomaton. 

The closure under conjunction and disjunction is straightforward since we 
permit positive boolean expressions as values of the transition function. Due to 
the condition (Partition) the automaton - 1 A for the complement is obtained from 
A by exchanging conjunctions with disjunctions in all transitions and exchanging 
accepting states with non-accepting states. 

Definition 3. An alternating timed automaton A is called purely universal if 
the disjunction does not appear in the transition rules 6. Dually, A is purely 
existential if no conjunction appears in 6. 

Clearly, if A is purely universal (purely existential) then ~^A is purely exis¬ 
tential (purely universal). It is obvious that every purely existential automaton 
is a standard nondeterministic timed automaton. The converse requires a proof 
because of the (Partition) condition. 

Proposition 2. Every standard nondeterministic automaton is equivalent to a 
purely existential automaton. 

Proof. Transition relation of a nondeterministic timed automaton is usually de¬ 
fined by a finite set 6 of rules of the form (q , a , a,q',r) G QxSx <P(C) xQx V(C). 
Given such an automaton A , the corresponding purely existential alternating au¬ 
tomaton A has the same set Q of states as A, plus one additional state q sink . 
Automaton A has the same initial state and accepting states as A, the same set 
of clocks C, and the same input alphabet. The only essential difference is that 5 
is replaced by 6 : Q x E x <P(C) —> B + (Q x V(C)), defined as follows. 

In fact, we prefer to define <5 equivalently as S : Q x E x d>(C) A V(Q x V(C)). 
Let <Ti ... a n be all clock constraints appearing in S. The guards appearing in 6 
will be ax , for X C {1... 71 } , defined by: 

ox = Aj 6 A'cq A A 

I.e., we consider conjunctions of arbitrary sets of guards tTj. The value S(q, a, a) is 
defined iff a = ax for some X , hence S clearly satisfies the (Partition) condition. 
The constraints ax satisfying [ax] = 0 can be safely omitted. We put: 

5{q,a,ax) = {(q',r) : (q,a,a.i,q',r) € 8 for some i G X}. 

If 8{q,a,ax) is empty, we put S(q,a,ax) = {(<Zsink, 0)}- And finally we put: 
£>( 9 sink, a, ax) = {(< 7 sink, 0)}, for any a and a X - 

It is routine now to check that languages accepted by A and A coincide. □ 
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In the following sections, we consider emptiness, universality and contain¬ 
ment for different classes of alternating timed automata. For clarity, we recall 
definitions here. 

Definition 4. For a class C of automata we consider three problems: 

— Emptiness: given A € C is L(A) empty. 

— Universality: given A £ C does L(A) contain all timed words. 

— Containment: given A, 13 £ C does L(A) C L(B). 

It is well known that the universality is undecidable for non-deterministic timed 
automata jS] with at least two clocks. As a consequence, all three problems are 
undecidable for alternating timed automata with two clocks. This is why, in the 
rest of the paper, we focus on automata with one clock only. 

Proviso: In the following all automata have one clock. 

The automaton from Example ^ uses only one clock. This shows that one clock 
alternating automata can recognize some languages not recognizable by nonde- 
terministic automata with many clocks. The converse is also true: 

Theorem 1. Classes of languages recognizable by nondeterministic timed au¬ 
tomata and by one-clock alternating timed automata are incomparable. 

Proof. We show a language acceptable by a deterministic automaton with many 
clocks but not acceptable by an alternating automaton with one clock. 

Consider the timed language over the singleton alphabet {5} consisting of 
the words containing appearances of the letter b at times and where 0 < 
ti < t 2 < 1 , no other b in between 0 and 1 and precisely one b between t\ +1 and 
t 2 + 1. We will show that this language cannot be accepted by an alternating 
timed automaton with one clock. Obviously it is accepted by a deterministic 
timed automaton with two clocks. 

For a preparation consider a deterministic untimed automaton B. A sequence 
b k of k letters b determines a function /® : Q B —> Q B saying that if started in 
the state q after reading b k the automaton will end in f®{q). Clearly the number 
of such functions is bounded if the number of states is fixed. Thus there are m 
and l, depending only on the number of states, such that = /® +i . Moreover 
fm+i = fm+l+i fOT all* > 0. 

To arrive at a contradiction assume that our language is recognized by an 
ATA A with n states. Suppose for a moment that all constants in the tests in 
transition function of the automaton are integers. Let m and l be such that 
fm+i = fm+l+i f° r alH > 0 and for all deterministic automata B with at most 
2 Z states. 

Now consider two words w\ and W 2 - In wi we have b at times 0.3, 0.7, 1.5 
and m 6 ’s somewhere in the interval (1,1.3) as well as m 6 ’s somewhere in the 
interval (1.7, 2). Word W 2 is obtained from w\ by adding l 6 ’s somewhere in the 
interval (1.3,1.7); but not at point 1.5 of course. We will show that if A accepts 
w i then it also accepts W 2 - 
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Consider the accepting run of ^lonroi. Look at the configurations in which 
the automaton reaches at time 1. Let (q,v) be one of them. The value of the 
clock v can be 0.3, 0.7 or 1. This is because there are only two letters till 1 and 
the automaton can reset clock only when it reads a letter. We will analyse the 
three cases one by one. 

If v = 1 then it is easy to see that from a configuration ( q , v) the automaton 
has no use for the clock in the interval (1,2). If not reset, the value of the clock 
in this interval will be in (1,2) and the automaton can compare the values only 
with integers. If the clock is reset then its value will stay in (0,1) till the end 
of the interval. Thus from the configuration (g, v) automaton A behaves as an 
alternating automaton without a clock with additional flag telling whether there 
was a reset or not. Because it has n states, it is equivalent to a deterministic 
automaton of at most 2 2 states. We have that if it accepts from q the string of 
2m +1 letters b then it also accepts 2m + 1+1 letters b. Thus A has an accepting 
run from (g, v) in W 2 if it had one in wi. 

If v = 0.7 then consider the run of A from (q,v) till the time point 1.3. 
Automaton A has no use of the clock till that point for the same reason as 
above. It arrives at a set of configurations: some with the value of the clock 1 
and some with the value < 0.3. The later are possible because A could reset a 
clock. Consider the rest of the computation starting from a configuration (g', 1). 
Once again the clock will not be useful to A in the rest of the word. Hence we 
will arrive to the same final states on a 1+m and a 1+m+l . Similarly for all the 
configurations with the values of the clock < .3. 

If v = 0.3 then consider the run of A from (q,v) till the time point 1.7. Till 
that time there was no use of the clock. We get a set of configurations with clock 
value 1 and the other with clock value <0.7. The possible configurations with 
clock value 1 are the same no matter if we have made automaton run on w\ or 
on W 2 , for the same reason as before. As the rest of w\ is the same as the rest of 
W 2 we are done. On the other hand, when comparing configurations with clock 
value < 0.7 in runs over W\ and 102 , the possible locations are the same but the 
clock values may differ. But the clock value is irrelevant before time 2, hence 
again we are done. 

In the argument we essentially use the assumption that we compare clocks 
only with natural numbers. If we allowed to compare with rationals we can get 
an example of the similar kind by using rescaling. Instead of intervals (0,1) and 
(1, 2) we would use smaller intervals that are of the size smaller than the smallest 
constant used by the automaton. 

More precisely, let c ^ 0 be the smallest positive rational such that the 
clock is compared in A either to c or to 1—c or to 1+c. We define words W\ 
and W 2 as follows. In vj\ we have b at times 0.3c, 0.7c, 1 + 0.5c and m b's 
somewhere in the interval (1,1 + 0.3c) as well as m b's somewhere in the interval 
(1 + 0.7c, 1 + c). Word W 2 is obtained from w\ by adding l b's somewhere in the 
interval (1 + 0.3c, 1 + 0.7c); but not at point 1 + 0.5c. The whole proof works 
unchanged. □ 



3 Decidability 


The main result of this section is that the emptiness problem for one-clock alter¬ 
nating timed automata is decidable. Due to closure under boolean operations, 
this implies the decidability of the universality and the containment problems. 

Theorem 2. The emptiness problem is decidable for one-clock alternating timed 
automata. 

Corollary 1. The containment problem is decidable for one-clock alternating 
timed automata. 

The rest of this section is devoted to the proof of Theorem |2] Essentially, 
we have adapted the method of Ouaknine and Worrell m for our more general 
setting. We point out the differences below. 

Fix a one-clock alternating timed automaton A = (Q,qo,F,{x},F,6). For 
readability, assume w.l.o.g. that the boolean conditions appearing in rules of 
S are all in disjunctive normal form. In terms of acceptance games this means 
that each phase consists of a single move of Eve followed by a single move of 
Adam. Consider a labelled transition system T whose states are finite sets of 
configurations, i.e., finite sets of pairs (g,v), where q £ Q and v £ R + . The 

initial position in T is To = {(go, 0)} and there is a transition P —+ P' in T iff 
P' can be obtained from P by the following nondeterministic process: 

— First, for each (q, v) £ P, do the following: 

• let v' := v+t, 

• let b = 5(q , a, o) for the uniquely determined cr satisfied in v', 

• choose one of disjuncts of b, say 

(qi,n) A ... A ( q k ,r k ) (k > 0 ), 

• let Next( giV ) = {(qi, v'ln := 0]) : i = 1... k}. 

- Then, let P' := U( g , v )eP Next (?.v)- 

This construction is very similar to the translation from alternating to nonde¬ 
terministic automata over (untimed) words: we just collect all universal choices 
in one set. Compared to [221 > the essential difference is that we have to deal with 
both disjunction and conjunction, while in 1 22( only one of them appeared. We 
treat conjunction similarly to determinization in (221 . On the other hand, we 
leave the existential choice, i.e., nondeterminism, essentially unaffected in T. 

In what follows we will derive from T a finite-branching transition system 
TL, suitable for the decision procedure. Like in <22], the degree of the nodes of TL 
will not be bounded but nevertheless finite. This is sufficient for our purposes. 

A state {(<?i, Vi),..., (q n , v n )} of T is called bad iff all control states qi are 
accepting (qi £ F). The following proposition characterizes acceptance in A in 
terms of reachability of bad states in T. It is enough to consider reachability 
because A accepts only finite words. 
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Lemma 1. A accepts a timed word w iff there is a path in T, labelled by w, 
from Pq to a bad state. 

Let T be a labelled transition system obtained from T by erasing time infor¬ 
mation from transition labels, i.e., there is a transition P —> Q in T iff there 
is P Q in T, for some t G R+. Now we cannot talk about particular timed 
words but still we have the following: 

Lemma 2. L(A) is nonempty if and only if there is a path in T from Pq to a 
bad state. 

Thus, the (non)emptiness problem for A is reduced to the reachability of a bad 
state in T. The last difficulty is that even if each state of T is a finite set, there 
are uncountably many states. The following definition allows to abstract from 
the precise timing information in states. 

Let c max denote the biggest constant appearing in constraints in S. Let set 
reg of regions be a partition of R+ into 2 • (c ma x+l) sets as follows: 

reg:= {{0},(0,1),{1},(1,2),..., (c max 1, c max ), {c max }, (c max , Too)}. 

For v G K+, let reg(v) denote its region; and let fract(v) denote the fractional 
part of v. Below we work with finite words over the alphabet A = V{Q x reg) 
consisting of finite sets of pairs ( q , r) , where q £ Q is a control state and r G reg 
is a region. 

Definition 5. For a state P of T we define a word H(P ) from A* as the one 
obtained by the following procedure: 

— replace each {q, v) G P by a triple (q, reg(v), f ract(v)} (this yields a finite 
set of triples) 

— sort all these triples w.r.t. fract(v) (this yields a finite sequence of triples) 

— group together triples that have the same value of fract(v), ignoring midtiple 
occurrences (this yields a finite sequence of finite sets of triples) 

— forget about fract(v), i.e., replace each triple (q, reg(v), fract(v)} by a pair 
(i q , reg(v)) (this yields a finite sequence of finite sets of pairs, a word in A*). 

Example 2. To illustrate transformation H , consider P = {(gi, 0.5), (g 2 ,1-2), 
(q 3 , 2.2)}, where q±, q 2 , 93 are locations. 

Let c max = 2. Denote regions by r 0 = {0}, r 0) i = (0,1),..., r 2 = {2}, r 2 , +0 o = 
(2, + 00 ). First, P is transformed into the set 

{(9i, r 0) i, 0.5), (g 2 , ri i2 , 0.2), (q 3 , r 2i+oc , 0.2)}. 

We make it into a sorted sequence (g 2 , ri )2 ,0.2)(g 3 , r 2i+00 ,0.2)(gi, r 0 ,i, 0.5). Then 
we group together triples with the same fractional part, obtraining a sequence 
of length two: 

{( 92 , ri )2 , 0.2), (q 3 , r 2i+00 , 0.2)}, {(q 1: r 0 ,i, 0.5)}. 

Finally we remove the fractional parts and obtain 

H(P) = {(<72, r i, 2 ), (<73, r 2i+00 )}, {(<71, r 0l i)}. 
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Definition 6. Let Tt be the transition system whose states are words H(P) for 
P a state ofT; a transition W\ W 2 is in Tt if there is a transition Pi -—>■ P 2 
in T with H{P\) = Wi, H{P 2 ) = W%. The initial state in TL is Wo = H(Pq). 

Example 3. Assume that the automation from previous example has a rule: 

q 3l a,x>2 ( qi , x ) V ((<72, 0) A (<73, 0)). 

Imagine a transition P —* P' in T corresponding to P P' in T derived 
from the above rule. There are two possibilities: P' = {(<71, 1 . 1 ), ((72, 1 - 8 ), ((71, 0 )} 
or P' = {(qi, 1 . 1 ), ((72, 1 . 8 ), (<72, 2 . 8 ), (<73, 2 . 8 )}. Accordingly, there are two tran¬ 
sitions H(P) W' in H, for W' = {(<71, r 0 )}{(<7i, ri ! 2 )}{(<72, ri >2 )} or W' = 
{(0 , i,ri,2)}{(g 2 ,ri j 2), (g2,r 2 , +0 o), (q 3 , r 2 , +00 )}. In each case W’ = H(P'). Hence, 
transitions in TL can “simulate” transitions in T. On the other hand, H(P) has 
also a transition 

H(P) —> {(< 7 i,r 0 )}{(gi,ri, 2 )}{(g 2 ,ri, 2 ), (<72, r 2 ,+oo), (<? 3 , r 2 ,+oo)} 

that simulates a posible transition of P = {((71, 0 . 5 ), (<72, 1 . 2 ), (<73, 2 . 2 ), (q 3 , 6 . 2 )}. 
Hence, roughly speaking, transitions of H (P) correspond to the union of all the 
transitions of all P such that H(P) = H(P). 

If P is bad and H(P ) = H(P') then P' is bad as well. Hence it is correct to call 
a state W in Tt bad if W = H(P) for a bad state P. 

Lemma 3. L(A) is nonempty iff a bad state is reachable in Tt from Wq. 

Proof. By Lemma [2 we only need to show: a bad state is reachable in T from 
Po iff a bad state is reachable in Tt from Wq. 

Consider a transition system T' obtained from T by imposing one additional 
restriction on transitions: whenever v 3 and v 2 are in the same region, then 
Next( giVl ) = Next( g V2 ). By T' and Tt' denote the transition systems obtained 
from T' instead of T . They have the same states as T and TL , respectively, but 
fewer transitions. Clearly, the additional restriction has no impact on acceptance, 
i.e., on reachability of a bad state. Hence we have: a bad state is reachable in 
T from Po iff a bad state is reachable in T' from Po. And also: a bad state is 
reachable in Tt from Wq iff a bad state is reachable in TL' from Wq. 

Now observe that the graph of H , i.e., the set of all pairs (P, if(P)), is a 
bisimulation between T' and TL' . If P P' then obviously H(P) H(P'). 
If H(P) W' then there exists P' such that P P' and H(P') = W'\ we 
only need to guess appropriate t and derive P' from transition P P' in T' 
(clearly t need not be unique). 

The bisimulation guarantees that a bad state is reachable in T' from Po iff 
a bad state is reachable in TL' from Wo- This completes the proof. □ 

At this point, we have reduced emptiness of L(A) to the reachability of a bad 
state in a countably infinite transition system Tt. The rest of the proof is quite 
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standard hue and exploits the fact that one can put an appropriate well-quasi- 
order ( wqo in short) on states of hi. Unfortunately, we are obliged to redo the 
proofs as we could not find a theorem that fits precisely our setting. 

Definition 7. Let A denote the monotone domination ordering over A* induced 
by the subset inclusion over A, defined as follows: a\ ... a n < b\.. .b m iff there 
exists a strictly increasing function f : {1,..., n} —► {1,..., m} such that for 
each i < n, ai C bfuy 

Lemma 4 (EH)- Relation A is a wqo, i.e., for arbitrary infinite sequence 
Wi, W 2 , ■■■ of words over A, there exist indexes i < j such that Wi P Wj. 

The decision procedure for reachability of bad states will work by an exhaustive 
search through a sufficiently large portion of the whole reachability tree. Thus 
we need to know that an arbitrarily large part of that tree can be effectively 
constructed. Roughly, all time delays of an action a from W can be captured by 
a finite number of cyclic shifts of W with an appropriate change of region. 

Lemma 5. For each state W in hi, its set of successors {W' G A* : W 
W' for some a } is finite and effectively computable. 

Proof. Recall that a word W represents a finite set of pairs (q,v). The letters 
are sorted according to the value of fract(v); moreover the letters represent 
finite sets of pairs in fact, i.e., all the pairs with the same fract(v). Note that 
all pairs with fract(v) = 0, if any, are represented by the first letter of W; and 
the corresponding region is of the form {z} (or (c max , 00 )) in this case. 

Now imagine a transition W W' in hi. This corresponds to some transi¬ 
tion P P' in T, for some t and some chosen set P of pairs (q, v). Importantly, 
the same time delay t is applied to all the pairs (g,v). Denote by P the set ob¬ 
tained from P by time delay, i.e., by replacing each (q, v) with (g, v + £); consider 
this, conceptually, for all t > 0. The corresponding word W in hi is obtained 
from W by an operation similar to a cyclic shift, to the right, repeated as many 
times as needed. This operation modifies W as follows. Note that the first letter 
of W contains either only pairs of the form (q, {z}), either only the pairs of the 
form (q, (z, z + 1)) (and perhaps (c max , 00 ) as well). In the first case, change each 
region {z} in the first letter of W to (z,z + 1) (or to (c max ,oo), if z = c max ). In 
the second case, remove the right-most letter and put it as the first letter in the 
word, and change each region (z, z + 1) to {z + 1}. 

Hence, the set {W' G A* : W W' for some a} can be computed by 
applying the operation defined above an arbitrary number of times (until all 
regions are (c max ,oo)), yielding W; and by calculating the effect of performing 
any transition a from W. □ 

The following observation is proved in the same way as Lemma 15 in 

Lemma 6. The inverse of f relation is a simulation: whenever W± P W 2 and 
W 2 W' 2 , there is some W[ such that W± —* W[ and W[ < W 2 . 
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Proof. Take W\ A W 2 and suppose W 2 W' 2 . By definition it means that 
there is P 2 with H(P 2 ) = W 2 such that there is a transition P 2 P 2 and 
P(P 2 ) = W' 2 . Since W\ A W 2 it is easy to see that there is Pi C P 2 such that 
W = if (Pi); Pl is obtained by removing from P 2 the pairs that do not end 
up in W\ when construction H is applied (cf. Definitional). Now, directly from 
the definition of the transition system T we have Pi — P[ with P[ C P^. So 
W\ H{P[). As P[ C P 2 , we have H{P[) A H 2 as required. 

□ 

The next observation is more specific to our setting but fortunately very easy. 


Lemma 7 (Downward closedness of badness). Whenever W ^ W' and 

W' is bad then W is bad as well. 

Proof. Take a letter u>,; of W. We need to show that q G F for every (q. r) e roi 
By the definition of W A W' we have uq C w' :) for some letter u>' of W'. Hence, 
(q, r) G w'j and q G F as W' is bad. □ 

Now we are ready to prove the main lemma. 

Lemma 8. It is decidable whether a bad state is reachable in Tt from Wo- 

Proof. The reachability tree is the unravelling of H from Wq. The algorithm 
constructs a portion t of the tree conforming to the following rule: do not add 
a node W' to t in a situation when among its ancestors there is some W A W'. 
Lemma 0] guarantees that each path in t is finite. Furthermore, since the degree 
of each node is finite, t is a finite tree. 

We need only to prove that if a bad state is reachable in H from Wq then t 
contains at least one bad state. Let W be such a bad state reachable from Wq in 
H by a path 7 r of the shortest length. Assume that W is not in t. i.e., there are 
two other nodes in n, say W\ and W 2 such that W\ is an ancestor of W 2 in the 
reachability tree and W\ A W 2 (i.e., W 2 was not added into t). Since the inverse 
of A is a simulation by Lemma [S] the sequence of transitions in n from W 2 to W 
can be imitated by the corresponding sequence of transitions from W\ to some 
other W' A W. W' is bad as well by Lemma 0 Moreover, the path leading to 
W' is strictly shorter than 7r, a contradiction. □ 

Theorem |5] follows immediately from Lemma |3] and Lemma 0 

Remark: In fact, Ouaknine and Worrell showed decidability of containment ” 
L(A) C L(B )” in a slightly more general case, namely when automaton A has 
arbitrarily many clocks. Along the same lines one can adapt our proof, assumed 
that A is an arbitrary nondeterministic timed automaton and B is a one-clock 
alternating timed automaton. We sketch below the necessary modifications. 

If we denote by B a dual of B , i.e., an automaton accepting the complement 
of L(B), then the containment reduces to emptiness of L(A) D L(B). Compared 
to the proof above, each state P of T needs to contain additionally information 
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on a configuration of A. Due to the fact that A is purely existential, P will 
contain precisely one pair ( q , v), where q is a state of A and v a valuation of all 
its clocks. The transition relation P -^-y P' is adapted so that the delay t before 
performing an action a is the same in A and B. This guarantees that the facts 
analogous to Lemma|T|and [2]hold; but now a state P is bad iff all states of both 
A and B appearing in P are accepting. 

Definition of H is precisely as before, but it needs a preprocessing: the pair 
(g, v) corresponding to A is split into a number of triples (g, v x , x) , one for each 
clock x of A. The triples are identical on the first component, and v x is the 
value of clock x. Observe that the number of such triples is the same in each 
state of Tt, and equal to the number of clocks in A. An analog of Lemma [3] holds: 
L(A) O L(B) is nonempty iff a bad state is reachable in Tt. 

Finally, Lemma 0 and Q hold as well, and the proofs are similar. The proofs 
of Lemma ED and |H1 rest unchanged. 

4 Lower Bound 

In this section we prove the following lower bound result. 

Theorem 3. The complexity of the emptiness problem for one-clock purely uni¬ 
versal alternating timed automata is not bounded by a primitive recursive func¬ 
tion. 

Since emptiness and universality are dual in the setting of alternating automata, 
as a direct conclusion we get the following: 

Corollary 2. The complexity of the universality problem for one-clock purely 
existential alternating (i.e., nondeterministic) timed automata is not bounded by 
a primitive recursive function. 

This answers the question posed by Ouaknine and Worrell [25] , 

The rest of this section contains the proof of Theorem 0 The proof is a 
reduction of the reachability problem for lossy one-channel systems EH 

Definition 8 (Channel system). A channel system is given by a tuple S = 
( Q, go, £, A), where Q is a finite set of control states, go £ Q is an initial state, 
£ is a finite channel alphabet and A C Q x ({!a : aG-S 1 } U {?a : a£U} U {e}) x Q 
is a finite set of transition rules. 

A configuration of S is a pair (g, w) of a control state g and a channel content 
ui £ £*. Transition rules allow the system to pass from one configuration to 
another. In particular, a rule (q, la, q') allows in a state q to write to the channel 
and to pass to the new state q'. Similarly, (q, la, q') means reading from a channel 
and is allowed in state q only when a is at the end of the channel. The channel 
is a FIFO, and by convention S writes at the beginning and reads at the end. 
Finally, a rule (g, e, q') allows for a silent change of control state, without reading 
or writing. 

Formally, there is a (perfect) transition (q,w) —?-+ ( q',w') if one of the fol¬ 
lowing conditions is satisfied: 
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— 'y = {q, e, q') and w = w', or 

— 7 = (q, !a, q') for some a££, and w' = aw, or 

— 7 = (q, la, q') for some a££, and w = w'a. 

The initial configuration is ( qo,e ), i.e., execution of S starts with the empty 
channel. For technical convenience, we assume w.l.o.g. that there is no rule re¬ 
turning back to the initial state: for each rule ( q , x, q') £ A, q' ^ qg. 

A lossy channel system differs from the perfect one in only one respect: during 
the transition step, an arbitrary number of messages stored in the channel may 
be lost. To define lossy transitions, we need the subsequence ordering on £*, 
denoted by C (e.g., tata C atlanta). We say that there is a lossy transition 
from (q,w) to ( q',w'), denoted by (q,w) ==> ( q',w '), iff there exists u,u' £ £* 
such that uQw, ( q,u) — {q',u') and w' C u'. 

By a lossy computation of a channel system S we mean a finite sequence: 

(9o, e) (<72, w 2 ) ••• (q n ,w n ). ( 2 ) 


Definition 9. Lossy reachability problem for channel systems is: given a chan¬ 
nel system S and a configuration ( qj,Wf), with q/^qo, decide whether there is 
a lossy computation of S ending in ( qf,Wf ). 

Theorem 4 (|24|L The lossy reachability problem for channel systems has non¬ 
primitive recursive complexity. 

The result of m was showed for a slightly different model. Namely, during a 
single transition, a finite sequence of messages was allowed to be read or written 
to the channel. Clearly, reachability problems in both models are polynomial¬ 
time equivalent. 

In the sequel we describe a reduction from the lossy reachability for chan¬ 
nel systems to the emptiness problem for one-clock purely universal alternating 
timed automata. Given a channel system S = ( Q, qo, U, A), and a configuration 
( qf,Wf ), we effectively construct a purely universal automaton A with a single 
clock x, and the input alphabet £ = Q U £ U A. The construction will assure 
that A accepts precisely correct encodings of lossy computations of S ending in 
(q/, Wf). A computation as in (j2j) will be encoded as the following word over £: 

q n TnW n 9n-l7n-l«>n-l ■ ■ ■ 9l7l«T 90, (3) 

where qt £ Q, 7 * £ A, Wi € £*. Let S be fixed in this section. 

It will be convenient here to write timed words in a slightly different way than 
before. From now on, whenever we write a word w = (ai, ti)(a 2 ,£ 2 ) ■ • • (a n ,t n ) 
we mean that the letter cq appeared f, time units after the beginning of the 
word. In particular, Oj+i appeared £*+1 — time units after a,. Clearly this is 
correct only when f, + 1 > ti, for i = 1... n— 1. 

Before the formal definition of encoding of a computation by a timed word 
we outline shortly the underlying intuition. We will require that the letter q n 
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appears at time 0 and then that each letter qt appears at time n — i. Hence, 
each configuration will be placed in a unit interval. To ensure consistency of 
the channel contents at consecutive configurations we require that if a message 
survived during a step i (it was neither read nor written nor lost) then the 
distance in time between its appearances in the sequences Wi and Wi-\ should 
be precisely 1 . 

We will need a new piece of notation : by (w + 1) we mean the word obtained 
from w by increasing all fj by one time unit, i.e., (w + 1 ) = (ai,ti + l)(o 2 ,t 2 + 
1 ) ■ ■ • (^n, tn T 1 ). 

Definition 10. By a lossy computation encoding ending in ( qf,Wf ) we mean 
any timed word over £ of the form: 

{Qmtn')('yn]tn) v n (dn — 1 > t n — 1) ("fn —1 > t n _ i )v n — 1 ... (Ql, fl) (Tl, E )^1 (90)fo)> 

where each iq = ( a\,u\) ... (a/f ,u l f) is a timed word over £. Additionally we 
require that for each i < n and j = 1 ,,li, the following conditions hold: 

(PI) Structure: 

qi G Q, 7» G A, aj G £,Ji = (qt-i,x, qf),q n = qf and a\... a!" = w f . 

(P2) Distribution in time: 

n-i = ti < t[ < u\ < u? < ... < u l f < t i+ 1 = n—i+l. 

(P3a) Epsilon move: if % = (qi- i,e, g,;) then (vi + 1) C Vi-\. 

(P3b) Write move: if 7 * = (qi- 1 , !a, qf) then either Vi = (a^uDv' and »' + lC 
Vi- 1 , or (Vi + 1 ) E Vi- 1 . 

(P3c) Read move: if 7 * = (qt-i, ?a, qf) then Vi -1 = v'(a,t)v" for some timed 
words v ', v" and t G K^_, such that (vi + 1 ) C v'. 

Lemma 9. S has a computation of the form m ending in (q n ,w n ) = ( qf,Wf ) 
if and only if there exists a lossy computation encoding ending in ( qf,Wf ) as in 
Definition E3 

Our aim is: 

Lemma 10. A purely universal automaton A can be effectively constructed such 
that L(A ) contains precisely all lossy computation encodings ending in ( qf,Wf ). 

The proof of this lemma will occupy the rest of this section. Automaton A 
will be defined as a conjunction of four automata, each responsible for some of 
the conditions from Definition m 

A .— Astmct A AnTiit A Astrict A .Acheck- 

All four automata will be purely universal and will use at most one clock. Au¬ 
tomaton Struct verifies condition (PI), automata -4 un it and *4 s trict jointly check 
condition (P2), and -4 c heck enforces the most involved conditions (P3a) - (P3c). 
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We omit an obvious definition of *4 s truct- We also omit the construction of 
the automaton „4 un it checking that letters from Q appear precisely at times 
0,1,... ,n. Automaton district will accept a timed word iff the first letter is at 
time 0 and no two consecutive letters appear at the same time. This can be 
easily achieved by the following rules: 

so, A 1 , x = 0 i—> (s, 0) s, £, x > 0 i—» (s, {x}). 

with so an initial state and both so, s as accepting ones. For readability of no¬ 
tation, when no clock is reset, as in the first rule above, we will omit writing it 
explicitly. Moreover, for conciseness, we implicitly assume that the automaton 
fails to accept from a state, if no rule is applicable in that state. 

The above mentioned automata are not only purely universal but also purely 
existential, i.e., deterministic. The power of universal choice will be only used 
in the last automaton *4 c heck, that checks for correctness of each transition step 
of S. While analysing definition of *4 c heck we will comfortably assume that an 
input word meets all conditions verified by the other automata, otherwise the 
word is anyway not accepted. 

The transition rules of *4 c heck from the initial state so are as follows: 

s 0 l q,tt s 0 A (s step , {a:}), for q G Q \ {<? 0 } 
s 0 ,qo,tt i * T 
so,£uA,tt i—* So- 

Intuitively, at each q € Q, except at qo, an extra automaton is run from the state 
s s tep, in order to check correctness of a single step. Symbol T on the right-hand 
side stands for a distinguished state that accepts unconditionally. 

Now the rules s s t ep , 7 , • • • •—> ... depend on 7 = (q,x,q'). There are three 
cases, corresponding to conditions (P3a), (P3b) and (P3c), respectively. 


I. Case 7 {QAiQ ) • S s tep, (*?, fo Q ), tt 1 t S c hannel- 

In state s c h a nnei, the automaton checks the condition (P3a), i.e., whether all 
consecutive letters from £ are copied one time unit later. This is done by: 

Schannel, Gg tt I > S c hannel C (s a , {x}), for Cl € £ 

Schannel, 9, tt T, for q G Q. 

Hence, the automaton starts a check from 1 at every letter read. Note that 
this is precisely here where the universal branching is essential. The task of s^ 1 
is to check that there is letter a one time unit later: 

s+\a,x = 1 h T 
s+\r,x<l ^ S+ 1 . 
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II. Case 7 = (q, !a, q'): 


^step? (lli Q )j 


\a • 


From state si a the automaton is responsible for checking the correctness of 
the operation !a, i.e., condition (P3b): 

&!ai &•) 1 * -^channel 

S\ a ,b,tt h-> (sjj -1 , {x}) /\ S c hanneh for b G E \ {a} 

S!a, q, tt T, for q G Q. 

First rule reads simply the letter a and then starts the check from s c hannei- This 
is the correct behaviour both when the written message was not forgotten, and 
when after forgetting it the first message is still a. The second rule deals with 
the case when the a written to the channel has been lost immediately. The last 
rule deals with the case when not only the a has been lost, but moreover the 
channel is empty. 

III. Case') = (q, ?a, q'): s step , (q, ?a, g'), tt s? a A (s try ?a, {x}). 

The behaviour of s? a is very similar to Schannei but additionally it will start 
a new copy of the automaton in the state St ry ?a- The goal of St ry ?a is to check 
for the letter a at the end of the present configuration. 

si a ,b, tt i-> s? a A (sjj"\ {a:}) A (s try ?a, {a;}), for b e £ 

S?a, Qi tt 1 * T. 

Note the clock reset when entering to st ry ?a- As we cannot know when the 
configuration ends we start s t r y ?a at each letter read. If we realize that this was 
not the end (we see another channel letter) then the check just succeeds. If this 
was the end (we see a state) then the true check starts from the state s c heck?a: 

Str y ?a> tt I * T 

Str ylaiQjtt I * S c heck?a- 

From s c heck?a we look for some a that appears more than one time unit later: 

Scheck?a? A 1 , X ^ 1 I > S check?a 

Scheck?a; Or^X 1 I * T 

Scheck ?aib,X 1 I > S c heck?a? fo^ b 

Automaton A c heck has no other accepting states but T. 

By the very construction, A satisfies Lemma 0D By Lemma ED S has a com¬ 
putation 0 ending in ( qf,Wf ) if and only if L(A) is nonempty. This completes 
the proof of Theorem 0 

5 Silent transitions 

In this section we point out that by extending the alternating timed automata 
model with e-transitions we lose decidability. It is known that e-transitions ex¬ 
tend the power of nondeterministic timed automata |5I13| . Here we show some 


18 


evidence that every extension of alternating timed automata with e-transitions 
will have undecidable emptiness problem. 

It turns out that there are many possible ways of introducing e-transitions to 
alternating timed automata. To see the issues involved consider the question of 
whether such an automaton should be allowed to start uncountably many copies 
of itself or not. Facing these problems we have decided not discuss virtues of 
different possible definitions but rather to show where the problem is. We will 
show that the universality problem for purely existential automata with a very 
simple notion of e-transitions is undecidable. 

Timed words are written here in the same convention as in previous section: 
w = (ai, ti)(a 2 , £ 2 ) ■ ■ • (a n , t n ) means that the letter a* appeared at time t* since 
the beginning of the computation. 

We consider purely existential (i.e. nondeterministic) automata with one 
clock. We equip them now with additional e-transitions of the form q,e,a <—> b. 
The following trick is used to shorten formal definitions. 

Definition 11. A nondeterministic timed automaton with e-transitions over £ 
is a nondeterministic timed automaton over the alphabet £ e = £ U {e}. 

For convenience, we want to distinguish an automaton A with e-transitions over 
£ from the corresponding automaton over E e ; the latter will be denoted A e . 
Given a timed word v over £ e , by |u| e we mean the timed word over £ obtained 
from w by erasing all (timed) occurrences of e. 

Definition 12. A timed word over £ is accepted by a timed automaton A with 
e-transitions if there is a timed word v over £ e accepted by A e such that w = |u| e . 

Note that according to the definition, an accepting run is always finite. The main 
result of this section is: 

Theorem 5. The universality problem for one-clock nondeterministic timed au¬ 
tomata with e-transitions is undecidable. 

The proof is by reduction of the reachability problem for perfect channel sys¬ 
tems, defined similarly as lossy reachability in Definition El but w.r.t. perfect 
computation of channel systems. Not surprisingly, a perfect computation is any 
finite sequence of (perfect) transitions: 

(*>,e) (<? 2 ,w 2 ) ... {q n ,w n ), 


Theorem 6 (II21)- The perfect reachability problem for channel systems is un¬ 
decidable, assumed 1171 > 2. 

Given a channel system S = ( Q , qo, £, A) and a configuration (qf, Wf ), we effec¬ 
tively construct a one-clock nondeterministic timed automaton with e-transitions 
A! over £. Automaton A' will accept precisely the complement of the set of all 
perfect computation encodings ending in ( qf,Wf ), defined by: 
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Definition 13. A perfect computation encoding ending in (qf,Wf) is defined 
as in Deftnition lUA but with the conditions (P3a) - (P3c) replaced by: 

(P3a) ifji = (qi-i, e, qf) then (ig + 1) = 1 , 

(P3b) if ji = (qi-i,la,qi) then (v^ + 1) = (a,t)vi-i, for some t £ M+. 

(P3c) if = (qi-i,?a,qi) then {vfiafi) + 1) = Vi- 1 , for some t £ K + . 

Since each perfect computation encoding is a lossy one, A! will be defined as a 
disjunction, A' := ~>A V A, of the complement of the automaton A from the 
previous section and another automaton A. As automaton -i A takes care of all 
timed words that are not lossy computation encodings, it is enough to have: 

Lemma 11. Automaton A accepts precisely these lossy computation encodings 
ending in ( qf,Wf ) that are not perfect computation encodings. 

This will be enough for correctness of our reduction: A' will accept precisely the 
complement of the set of all perfect computation encodings. 

In the rest of this section we sketch the construction of the automaton re¬ 
quired by Lemma ITll 

When defining the behaviour of A we can conveniently assume that the input 
word is already a lossy computation encoding. The aim of A is to find a loss of 
a message in the channel. This will be achieved, roughly, via an e-rule trying to 
guess a moment t in time such that there is no message occurrence at time t but 
there is one at time t+ 1. Of course, A (and hence A! as well) will have a single 
clock x and the input alphabet is E = Q U E U A. 

The transition rules of A from the initial state so are: 

s 0 , q, tt i-> s 0 V s s tep for q £ Q \ { 90 } 
so,EL)A,tt 1 —► so- 

Intuitively, at each q £ Q, except at go 7 A chooses either to check correctness of 
this single step or to skip it. A will have no accepting states but T that we will 
use later. 

Now the rules s s t ep , 7 , ••• e-> ... for state s s t ep depend on 7 = (q,x,q'). 
There are three cases, corresponding to conditions (P3a), (P3b) and (PSc), re¬ 
spectively. As the rules follow a similar pattern to that in Section Q] we present 
only the simplest case when 7 = (q, e, q’). 


S step , ( q,e,q'),tt l-> (^channel, {z})- 

In state s c hannei, the automaton searches for a message loss. Here we need e- 
transitions to choose the right moment to move to state s +1 : 

^channel; C, X > 0 I > (s , {x}) 

^channel, A, tt I ' (s c hannel 7 {}) 


The task in state s +1 is to wait precisely one time unit and then check for a 
letter, similarly as state S+ 1 in Section^] Transition from s c h a nnei to s +1 is only 
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possible when x > 0. As x is reset at each letter read, this ensures a positive 
delay between any letter and an e-move. 

s +1 , S, 0 < x < 1 i—► s +1 
s +1 , S,x = 1 <—► T 

The only way of accepting from s +1 is to consume a number of letters while 
0 < x < 1 and finally find a letter at x = 1. Note strictness of the left-hand side 
inequality in 0 < x < 1. It is crucial here and excludes x = 0, that would mean 
that some letter occurred in the input word at the moment of the e-move that 
entered into s +1 . 

This completes our description of the construction of the automaton A as 
required by Lemma ITT! Having it we have the automaton A! which shows The¬ 
orem [3 

6 Infinite words 

In this section we consider one-clock alternating timed automata over infinite 
words with Biichi acceptance condition. The acceptance game is defined similarly 
as in Section |2 but it is played over an w-word 

where ti < <2 < ■ • Hence each play ( qo , Vo), (qi, Vi),... is infinite. The winner 
is Eve iff an accepting state appears infinitely often, i.e., qt £ F for infinitely 
many indices i. We do not explain the details since we will only consider nonde- 
terministic automata in this section (i.e., only Eva plays). We prove the following 
result. 

Theorem 7. The universality problem for one-clock nondeterministic Biichi 
timed automata is undecidable. 

As a direct corollary, emptiness problem of one-clock alternating Biichi automata 
is undecidable as well. 

To prove Theorem 0 we code the halting problem of a Turing machine. We 
can assume that the Turing machine starts the empty tape and accepts by reach¬ 
ing a unique accepting state q acc . Furthermore, we assume that the machine is 
deterministic, i.e., we have a transition function S specifying for each control 
state q and tape symbol a a triple S(q, a) = ( d , q', b) consisting of a head direc¬ 
tion d £ {<—, ■, —>}, new state q' and letter b to be written onto the tape in place 
of a. 

The idea of the reduction is based on the fact that instead of considering 
a computation that just stops in an accepting state we will encode existence 
of a computation that after reaching an accepting state clears the tape with 
blanks and restarts. Thus the accepting computation is rather a repetitive ac¬ 
cepting computation. As the machine is deterministic, the same execution will 
be essentially replayed infinitely often. 
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We code a sequence of configurations as before, each configuration should fit 
in a unit interval. We make our simulation in such a way that the first config¬ 
uration is already of length sufficient for the whole computation, hence in the 
simulation of machine steps we will never have to add or remove tape positions. 

The nondeterministic automaton we are going to construct will accept the 
sequences that are not encodings of the repetitive accepting computation of the 
machine. With one clock we can check that there is a cheating, i.e., letter a in 
one configuration is changed to b in the next although it should have not. We 
can also check that a letter disappeared (it was in one configuration and not 
in the next). What we cannot check directly is that there are new letters in 
the next configuration, i.e., there can appear new tape positions that were not 
there before. But if this kind of inserts happen infinitely often then we can find a 
sequence of tape symbols appearing at times t± < t 2 < ■ ■ ■ such that the sequence 
fract(fi), fract(f 2 ), ... is either strictly increasing or strictly decreasing. This 
can be checked by a nondeterministic Biichi automaton with one clock. Hence, 
we can construct an automaton that does not accept the sequences where there 
are no cheatings, no disappearances and only finitely many inserts. In such a 
sequence we have, from some position on, a correct and accepting computation 
of the Turing machine. Thus, the nondeterministic automaton will not accept 
some word iff the machine halts, i.e., accepts from the empty tape. 

Now wc will make all these intuitions more formal. Let A4 be a fixed Turing 
machine in the rest of this section; by Q and £ let us denote the set of control 
states and tape alphabet of A4, respectively. Assume that a blank symbol B is in 
£. Given A4, we will effectively construct a nondeterministic Biichi automaton 
A with a single clock x over the input alphabet £ = Q U £ U Lx{H}. A letter 
(a, H), for a G £, represents a tape symbol a with the head over it. We put 
£„ = ruAxjH}. 

The configuration of M is a pair (q, w) consisting of a control state q £ Q and 
a word iv E £n* representing the tape content. The transition function 6 of Ad 
gives rise to a relation between configurations, describing the single step of Ab 
We will denote this by qw —> q'w' , to say that a single step from configuration 
(q,w) yields a new configuration ( q',w') and that w and w' are of the same 
length. So we will model computation that does not go outside w with the idea 
that enough space was allocated in the initial configuration. 

This notation assumes a fixed size of tape available, i.e., w and w' are of the 
same length and the head may not move outside w. For convenience, we will 
also write qv q'v' for timed words v and v' if q untime(u) —► (Runtime)?/) 
holds and time-stamps are identical in v and v' (note that v and v' are of the 
same length in particular); untime(u) stands for the word v after removing time- 
stamps. 

Definition 14. By a recurrent accepting computation encoding we mean any 
timed word w over £ of the form: 

(doAo) Vo (qiAi) Vi ..., 
such that the following conditions hold: 
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(PI) Structure: each q, £ Q and each iq = (aj,uj) ... {a l f,uf) is a nonempty 
finite timed word over Ah such that precisely one of a] ... af is in Ax{H}. 
(P2) Distribution in time: i = ti < u\ < u? < ... < uf < fj+i = i+ 1. 

(P3) Acceptance: qo is the initial state of A4, each o/aj ... ag° is in (B, (B,H)}, 
and qi = q acc for infinitely many i. 

(P4) Recurrence: whenever g,;_i = g Q0C , then qi = qo and aj,... ,a l f £ (B, (B, H)}. 
(P5) Steps: whenever q t -i ^ q aC c, + 1) qi.v, for some wCd,. 

(P6) Insertions bound: w contains no infinite subsequence (ao, uo)(ai, u\)... 
such that uq < u\ < ..., ai £ Eyi for all i > 0, and the sequence 

fract(uo), fract(iti),... 

is either strictly increasing or strictly decreasing. 

Lemma 12. Started with the empty tape, the machine A4 accepts if and only if 
there exists a recurrent accepting computation encoding as in Definition \lf\ 

Proof. Assume A4 accepts. There is a sequence 

q 0 w 0 -* qiwi ... -> q n w n 

where q n = q acc and wo is a finite word over representing a sufficiently 
big portion of initially empty tape to store the computation. Hence, there is a 
recurrent accepting computation encoding obtained by repeating infinitely the 
word qoWoqiWi... q n w n ; time-stamps for tape symbols in wq, ... can be 
chosen arbitrarily to satisfy (P2) and (P5). 

For the opposite direction, assume that some recurrent accepting computa¬ 
tion encoding w exists. 

By (P6), it contains only finitely many insertions , where by an insertion we 
mean a pair (a,i), a € A H , appearing in w such that no letter appears at time 
t — 1 in to. Indeed, assume otherwise, i.e., assume that the number of insertions 
in w is infinite. Build the infinite sequence of all the insertions, in the order they 
appear in w. The fractional parts fract(f) of all the time-stamps form an infinite 
sequence of reals in (0..1), with no number appearing twice. Such a sequence has 
necessarily a subsequence that is either strictly increasing or strictly decreasing 
- contradiction with (P6). 

By (P3) and (Pf), w contains infinitely many restarts of the machine. This 
implies that there is a restart followed by no insertion any more. Hence, from 
this position on, the encoding simulates the machine faithfully and provides the 
halting run of the machine. □ 

The undecidability result will follow from the next lemma. 

Lemma 13. A nondeterministic automaton A can be effectively constructed 
such that L(A) contains precisely all timed words that are not recurrent accepting 
computation encodings. 
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The automaton A is a disjunction of six automata, each of them accepting 
timed words that do not satisfy one of conditions (P1)-(P6), respectively. We 
omit the automata for (negation of) (Pl)-(PJ^) and focus on the other two 
conditions only. While analysing the definitions we may assume conveniently 
that the input word satisfies conditions (Pl)-(P^). 

Automaton for negation of (P5), in its initial state so, at each letter q £ Q 
read, decides nondeterministically either to check this step, or to keep searching 
for another step to check; in the former case, it guesses a move of the head in 
this step: 


So, q, tt i—> si V s^ V s« V So, for q £ Q 
so, -A7 h , tt i—> so- 

To show the idea, we present in detail the transition rules from state s? only; 
but we omit transitions from s(L and si*, as they are conceptually similar. In 
state s 9 , the automaton needs to check that the next configuration differs from 
the configuration determined by a single machine step from the current config¬ 
uration. The automaton can check tape symbols appearing precisely one unit 
later that some symbol in the current configuration; hence insertions are pretty 
allowed. 


s 9 ,a, tt i—> 
s q , (a, H),ff h-> 
Scant, a, tt ^ 

Slant, q', U 


(S+ 1 , {x}) V s q , for a £ £ 

W) VS cont> ^ a ) 

(4M4) vsL 

T, if q ^ q. 


b) 


Observe that the automaton fails to accept from s? if the head move in current 
configuration is not i.e, the automaton’s guess has been incorrect. The task 
from state , for a £ A H , is merely to check that the letter appearing one unit 
later is not equal to a, or that there is no such letter at all: 


s+\£,x< 1 

Sa X ,b,X = 1 
S+ 1 , > 1 


T, if a ^ b 
T. 


The only accepting state is T. 

Now we switch to condition (P6). The task is to recognize a strictly increas¬ 
ing or strictly decreasing subsequence as defined in (P6), hence the automaton 
is a disjunction Ai nc V Adec- For simplicity of analysis, assume that the input 
word satisfies all previous conditions (P1)—(P5). In particular, for each letter 
appearing at time t, say, there is another letter at time t + 1. 

As a preparation, consider the following transition rules, from states s and 
s, respectively: 
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s,Sji,tt i—> s s,£n,x<l i—> s 

s,Q,x < 1 i—> s s, £yl,x=1 i—> (s, {x}) 

s,Q,x = 1 (s,{x}) s,Q,tt i-> (s, {x}) 

Imagine that the clock x has been reset at some letter a G J7 H of the input word. 
Now, starting from state s, the above rules describe scanning of the word in the 
following cycle: scan all letters in S E staying in state s, then on q £ Q change the 
state to s; then scan the following letters in S E until x = 1, i.e., until precisely 
one time unit elapses since the last clock reset; then reset the clock again and 
change to state s; and so on. Hence, the whole word is conceptually split into 
segments determined by the clock resets, and each segment is typically scanned 
in two “phases”: first the s-phase and then the s-phase. The transition from s to 
s can happen when we see a state from Q ; thus only at integer times by property 
(P2). The only small difference appears when one of the phases starts by a clock 
reset at some letter q € Q; in this case the other phase is degenerate and the 
bottom-most transition rules for s and s apply. In fact this is the case initially, 
since for the initial state of „4i nc and _4dec we choose s and s, respectively. 

Having these rules, definition of A ln c and ./Idee requires only appropriate 
handling of moments where additional clock resets may be done. In ^4j nc the 
additional clock resets will be enabled only during s-phase, while in *4d ec only 
in s-phase. 

We will need a third state s' with the following rules: 

s , Th, tt i— > s 
s',Q,tt i—> s, 

enabling to mimic the s-phase, but not enabling for any additional clock reset 
until some q £ Q is observed. State s' will be the only accepting state in both ^4i nc 
and ./Idee and will be intentionally visited at each consecutive letter belonging to 
a strictly increasing (or decreasing) subsequence. Now, to complete the definition 
of .4i nc , we allow the transition from s to s' by replacing the first rule for s by 
the following rule: 

s,£n,tt i—* sV(s',{x}). 

Notice that we do not allow to reset clock more than once in one s-phase (by 
the first rule for s'). But as we have assumed (P1)-(P5), we know that each 
letter reappears, perhaps not identically, one unit later. Hence we will not miss 
a strictly increasing subsequence, but only “postpone” capturing its next element 
to the next s-phase. 

Similarly, to complete the definition of -4dec, we allow the transition from s 
to s' by replacing the first rule for s by the following one: 

s, 27 h ,x<1 i—> sV(s',{x}). 

This completes description of automaton A needed for the proof of Lemma lT^l 
and hence also the proof of Theorem 0 
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7 Final Remarks 


In this paper we have explored the possibilities opened by the observation that 
the universality problem for nondeterministic timed automata is decidable |22l 
We have extended this result to obtain a class of timed automata that is closed 
under boolean operations and that has decidable emptiness problem. We have 
shown that despite being decidable the problem has prohibitively high complex¬ 
ity. We have also considered the extension of the model with epsilon transitions. 
The undecidability result for this model points out what makes the basic model 
decidable and what further extensions are not possible. Finally, maybe some¬ 
what surprisingly, we prove that the universality for 1-clock nondeterministic 
timed automata but over infinite words is undecidable. 

We see several topics for further work: 

— Adding event-clocks to the model and/or extending from timed words to 
trees. It seems that in both cases one would still obtain a decidable model. 

— Decidability of the universality problem for one-clock co-Biichi automata is 
still open. 

— Finding logical characterisations of the languages accepted by alternating 
timed automata with one clock. Since we have the closure under boolean 
operations, we may hope to find one. 

— Finding a different syntax that will avoid the prohibitive complexity of the 
emptiness problem. There may well be another way of presenting alternating 
timed automata that will give the same expressive power but for which the 
algorithmic complexity of the emptiness test will be lower. 
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